[OpenID] Reconsidering http://openid different from https://openid
Josh Hoyt
josh at janrain.com
Wed Sep 19 19:42:17 UTC 2007
On 9/19/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> I would also guess that a (human-level) impersonation attack by
> http://foo against https://foo will almost always been successful -
> e.g. because so many RPs don't print the protocol prefix.
How would such an impersonation attack take place? Wouldn't it involve
the attacker controlling one or the other of the identifiers?
More information about the general
mailing list